Bring your own file system (BYOF) tool executed

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1105-ingress-tool-transfer

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

What happened

A Bring Your Own Filesystem (BYOF) tool was executed, which attackers can abuse to download and access additional utilities.

Goal

Detect execution of the BYOF tool proot, which attackers may use to download and access additional malicious tools.

Strategy

This rule monitors for execution of the proot binary and detects processes spawned from the path */freeroot/root.sh, a file system previously observed in BYOF compromises.

Triage and response

  1. Review the process tree to understand what initiated the proot execution.
  2. Investigate the filesystem and determine if this is authorized activity.
  3. If the activity is unauthorized, isolate the affected system and investigate the initial access point.
  4. Review related signals and events to establish a timeline of the compromise.

Requires Agent version 7.27 or greater.